customizing installers for openafs and mit kerberos for windows asanka c herath secure endpoints inc
TRANSCRIPT
Customizing Installers for OpenAFS and MIT Kerberos for Windows
Asanka C HerathSecure Endpoints Inc.
WHY TRANSFORMS?
Originalinstaller.msi
Transform 1.mst CustomizedInstaller 1.msi
Transform 2.mst CustomizedInstaller 2.msi
Newinstaller.msi
Transform 1.mst CustomizedNew Installer 1.msi
Originalinstaller.msi
Transforms are …
• Packaged customizations– Can be applied to newer installers– Manage and document
• Supported– Used with Group Policy software assignment
ESSENTIAL WINDOWS INSTALLERNot a complete Windows Installer guide
Refer to the Windows Installer documentation onMicrosoft Developer Network or the
Windows Platform SDK Documentation for more details
Windows Installer Packages are …
• Based on a relational database model– Each installer ‘database’ contains information and
data files used to install a product
• Declarative• Organized into features and components
A Component
A piece of an application that is versioned and installed as a coherent whole.
A Component
Identified by a GUID
{E353AA81-667F-44a1-8C04-133FCDD42E5E}{E353AA81-667F-44a1-8C04-133FCDD42E5E}
A Component
Can contain a single file, a group of files, a file and a group of registry settings, a single registry setting, a
shortcut, etc…
File A
Registry setting 1
Registry setting 2
{E353AA81-667F-44a1-8C04-133FCDD42E5E}{E353AA81-667F-44a1-8C04-133FCDD42E5E}
A Component
Has a “key path”
File A
Registry setting 1
Registry setting 2
{E353AA81-667F-44a1-8C04-133FCDD42E5E}{E353AA81-667F-44a1-8C04-133FCDD42E5E}
A Component
Can be shared across features, products and companies
A ComponentHas rules …
(In brief, from ‘Windows Installer Components’, Microsoft Developer Network Library)
1. Each component must be stored in a single directory.
2. No file, registry entry, shortcut, or other resources should ever be shipped as a member of more than one component. This applies across products, product versions and companies.
1. Each component must be stored in a single directory.
2. No file, registry entry, shortcut, or other resources should ever be shipped as a member of more than one component. This applies across products, product versions and companies.
A Feature
A high-level user-visible hierarchical grouping of components and other features
Features and Components
afsd_service.exe
afslogon.dll
Service install for TransarcAFSDaemon
HKLM\...\WinLogon\Notify\..., DLLNameHKLM\...\WinLogon\Notify\..., Startup
Properties
• Are strings• Can be specified at runtime or via a transform– Only “public” properties can be specified at
runtime
• Can be used to condition the installation of components
TRANSFORMSCustomization via
How transforms work
• Installer databases consist of a ‘relational-type’ database and an associated file storage.– OpenAFS for Windows and MIT Kerberos for
Windows use cabinets.
• A transform is a set of changes that is made to the database contents.
• The file storage is unaffected.
Making a transform
• Make a copy of the original• Make any required changes to the copy• ‘Diff’ the two
or• Use ORCA.exe to edit and generate the
transform…
Ingredients
• Windows Installer SDK (Part of the Windows SDK)– ORCA.exe– MsiTran.exe (optional)– MsiDb.exe (optional)– WiLstXfm.vbs (optional)
• Original MSI installers
CUSTOMIZATION USING PROPERTIES
A walkthrough
1/3
2/3
3/3
Originalinstaller.msi
Transform.mst
Modifiedinstaller.msi
Transform.mstOriginalInstaller.msi
Transform.mst ModifiedInstaller.msi
Originalinstaller.msi
msitran -g OriginalInstaller.msi ModifiedInstaller.msi Transform.mstmsitran -g OriginalInstaller.msi ModifiedInstaller.msi Transform.mst
copy OriginalInstaller.msi ModifiedInstaller.msimsitran -a Transform.mst ModifiedInstaller.msicopy OriginalInstaller.msi ModifiedInstaller.msimsitran -a Transform.mst ModifiedInstaller.msi
ADDING REGISTRY KEYSA walkthrough
Overview
• OpenAFS– Add a set of domain specific registry keys to
enable integrated logon for EXAMPLE.COM realm.
HKLM\...\TransarcAFSDaemon\NetworkProvider\Domain\EXAMPLE.COMLogonOptions = 1
According to Appendix A section 2.1 of the OpenAFS for Windows Release Notes.
HKLM\...\TransarcAFSDaemon\NetworkProvider\Domain\EXAMPLE.COMLogonOptions = 1
Creating the key becomes a separate registry entry.
HKLM\...\TransarcAFSDaemon\NetworkProvider\Domain\EXAMPLE.COM(Create key)
HKLM\...\TransarcAFSDaemon\NetworkProvider\Domain\EXAMPLE.COMLogonOptions = 1
We need a component to hold the registry entries.(Don’t forget the key path and GUID)
HKLM\...\TransarcAFSDaemon\NetworkProvider\Domain\EXAMPLE.COM(Create key)
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
Create a new feature to keep our component separate from the rest of the feature-component hierarchy.
HKLM\...\Domain\EXAMPLE.COM(Create key)
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
Attach the feature to the rest of the feature-component hierarchy.
HKLM\...\Domain\EXAMPLE.COM(Create key)
Client
OpenAFS
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
And again from the top, but this time with Windows Installer tables …
HKLM\...\Domain\EXAMPLE.COM(Create key)
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
Component(Attributes value 4 = msidbComponentAttributesRegistryKeyPath)
HKLM\...\Domain\EXAMPLE.COM(Create key)
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
FeatureComponents
HKLM\...\Domain\EXAMPLE.COM(Create key)
HKLM\...\Domain\EXAMPLE.COMLogonOptions = 1
Feature(Attribute value 10 = msidbFeatureAttributesFollowParent + msidbFeatureAttributesDisallowAdvertise)
HKLM\...\Domain\EXAMPLE.COM(Create key)
Client
OpenAFS
REPLACING CONFIGURATION FILESA walkthrough
Overview
• OpenAFS– Replace the CellServDB in the installer with a
custom file.
A problem
• Since Windows Installer transforms do not change the embedded cabinet or source files, we can’t change the CellServDB that is included in the installer.
A solution
• Block the CellServDB file in the installer• Include a new CellServDB file– We can either embed the new CellServDB file in
the installer or we can place it in the same location as the installer.
The ‘Condition’ column
• Non-existent or empty properties evaluate to FALSE.
Client
OpenAFS
CellServDB
File table(Attribute 8192=msidbFileAttributesNoncompressed)
Client
OpenAFS
CellServDB
Component table(Attributes value 144 = msidbComponentAttributesPermanent +
msidbComponentAttributesNeverOverwrite)
Client
OpenAFS
CellServDB
Media table(LastSequence = sequence number of last file in media. The value of 1000 makes this the source media
for the newly added CellServDB file.)
RESOURCESUseful
Useful Resources
• Windows Installer documentation• OpenAFS for Windows release notes• MIT Kerberos for Windows MSI Deployment
Guide
Q?
THANK YOUAsanka C. Herath
Secure Endpoints Inc.